Hide

Hide

Copy

BOX 2020-01-31

Part I Print

Item 1. Business Print

Item 1A. Risk Factors Print

Item 1B. Unresolved Staff Comments Print

Item 2. Properties Print

Item 3. Legal Proceedings Print

Item 4. Mine Safety Disclosure Print

Part II Print

Item 5. Market for Registrant's Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Print

Item 6. Selected Consolidated Financial Data Print

Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations Print

Item 7A. Quantitative and Qualitative Disclosures About Market Risk Print

Item 8. Financial Statements and Supplementary Data Print

Note 1. Description of Business and Basis of Presentation Print

Note 2. Summary of Significant Accounting Policies Print

Note 3. Revenue Print

Note 4. Fair Value Measurements Print

Note 5. Balance Sheet Components Print

Note 6. Leases Print

Note 7. Commitments and Contingencies Print

Note 8. Debt Print

Note 9. Stockholders' Equity Print

Note 10. Stock-Based Compensation Print

Note 11. Net Loss per Share Print

Note 12. Income Taxes Print

Note 13. Restructuring Print

Note 14. Segments Print

Note 15. 401(K) Plan Print

Item 9. Changes in and Disagreements with Accountants on Accounting and Financial Disclosure Print

Item 9A. Controls and Procedures Print

Item 9B. Other Information Print

Part III Print

Item 10. Directors, Executive Officers and Corporate Governance Print

Item 11. Executive Compensation Print

Item 12. Security Ownership of Certain Beneficial Owners and Management and Related Stockholder Matters Print

Item 13. Certain Relationships and Related Transactions, and Director Independence Print

Item 14. Principal Accountant Fees and Services Print

Part IV Print

Item 15. Exhibits, Financial Statement Schedules Print

Item 16. Form 10-K Summary Print

EX-4.3	box-ex43_276.htm
EX-21.1	box-ex211_9.htm
EX-23.1	box-ex231_10.htm
EX-31.1	box-ex311_6.htm
EX-31.2	box-ex312_8.htm
EX-32.1	box-ex321_7.htm

 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

 

FORM 10-K

 

(Mark One)

For the fiscal year ended January 31, 2020

OR

FOR THE TRANSITION PERIOD FROM                      TO                     

Commission File Number 001-36805

 

Box, Inc.

(Exact name of registrant as specified in its Charter)

 

 

900 Jefferson Ave.

Redwood City, California 94063

(Address of principal executive offices and Zip Code)

(877) 729-4269

(Registrant’s telephone number, including area code)

 

Securities registered pursuant to Section 12(b) of the Act:

 

Securities registered pursuant to Section 12(g) of the Act: None

 

Indicate by check mark if the registrant is a well-known seasoned issuer, as defined in Rule 405 of the Securities Act.    YES  ☒    NO  ☐

Indicate by check mark if the registrant is not required to file reports pursuant to Section 13 or 15(d) of the Securities Exchange Act (the Exchange Act).    YES  ☐    NO  ☒

Indicate by check mark whether the registrant: (1) has filed all reports required to be filed by Section 13 or 15(d) of the Exchange Act during the preceding 12 months (or for such shorter period that the registrant was required to file such reports), and (2) has been subject to such filing requirements for the past 90 days.    YES  ☒    NO  ☐

Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).    YES  ☒    NO  ☐

Indicate by check mark whether the registrant is a large accelerated filer, an accelerated filer, a non-accelerated filer, a smaller reporting company, or an emerging growth company. See the definitions of “large accelerated filer,” “accelerated filer,” “smaller reporting company,” and “emerging growth company” in Rule 12b-2 of the Exchange Act. 

 

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Indicate by check mark whether the registrant is a shell company (as defined in Rule 12b-2 of the Exchange Act).    YES  ☐    NO  ☒

The aggregate market value of the voting and non-voting common equity held by non-affiliates of the registrant, based on the closing price of a share of the registrant’s Class A common stock on July 31, 2019 as reported by the New York Stock Exchange on such date was approximately $2.4 billion. Shares of the registrant’s Class A common stock held by each executive officer, director and holder of 10% or more of the outstanding Class A common stock have been excluded in that such persons may be deemed to be affiliates. This calculation does not reflect a determination that certain persons are affiliates of the registrant for any other purpose.

As of February 28, 2020, the number of shares of the registrant’s Class A common stock outstanding was 150,703,700.

Portions of the registrant’s Definitive Proxy Statement relating to the Annual Meeting of Stockholders are incorporated by reference into Part III of this Annual Report on Form 10-K where indicated. Such Definitive Proxy Statement will be filed with the Securities and Exchange Commission within 120 days after the end of the registrant’s fiscal year ended January 31, 2020.

 

 

 

---

Box, Inc.

Annual Report on Form 10-K

For the Fiscal Year Ended January 31, 2020

TABLE OF CONTENTS

 

2

---

SPECIAL NOTE REGARDING FORWARD-LOOKING STATEMENTS

This Annual Report on Form 10-K contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. Forward-looking statements generally relate to future events or our future financial or operating performance. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential” or “continue” or the negative of these words or other similar terms or expressions that concern our expectations, strategy, plans or intentions. Forward-looking statements contained in this Annual Report on Form 10-K include, but are not limited to, statements about:

3

---

These forward-looking statements are subject to a number of risks, uncertainties and assumptions, including those described in the section titled “Risk Factors” and elsewhere in this Annual Report on Form 10-K. Moreover, we operate in a very competitive and rapidly changing environment, and new risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from those contained in any forward-looking statements we may make. In light of these risks, uncertainties and assumptions, the forward-looking events and circumstances discussed in this Annual Report on Form 10-K may not occur and actual results could differ materially and adversely from those anticipated or implied in the forward-looking statements.

You should not rely upon forward-looking statements as predictions of future events. Although we believe that the expectations reflected in the forward-looking statements are reasonable, we cannot guarantee that the future results, levels of activity, performance or events and circumstances reflected in the forward-looking statements will be achieved or occur. Moreover, neither we nor any other person assumes responsibility for the accuracy and completeness of the forward-looking statements. We undertake no obligation to update publicly any forward-looking statements for any reason after the date of this Annual Report on Form 10-K to conform these statements to actual results or to changes in our expectations, except as required by law.

You should read this Annual Report on Form 10-K and the documents that we reference in this Annual Report on Form 10-K and have filed with the SEC as exhibits to this Annual Report on Form 10-K with the understanding that our actual future results, levels of activity, performance, and events and circumstances may be materially different from what we expect.

 

 

4

---

PART I

Item 1. BUSINESS

Overview

Box provides a leading cloud content management platform that enables organizations of all sizes to securely manage their content while allowing easy, secure access and sharing of this content from anywhere, on any device. With our Software-as-a-Service (SaaS) cloud content management platform, users can collaborate on content both internally and with external parties, automate content-driven business processes, develop custom applications, and implement data protection, security and compliance features to comply with legal and regulatory requirements, internal policies and industry standards and regulations. Box provides a single content platform that accelerates business processes, improves employee productivity and protects an organization’s most valuable data. Our platform enables a broad set of business use cases across enterprises, hundreds of file formats and media types, and user experiences. Our platform integrates with leading enterprise business applications, and is compatible with multiple application environments, operating systems and devices, ensuring that workers have access to their critical business content whenever and wherever they need it.

At our founding, we recognized that content is more accessible, secure and powerful when it is centrally stored, managed, and shared. In 2005, we publicly launched our cloud content management platform, which we have architected from the ground up, with a simple but powerful idea: to make it incredibly easy for people to securely manage, share and collaborate on their most important content online. Our cloud content management platform is built to meet the evolving demands of today’s distributed and mobile workforce, and for enterprises that are looking to benefit from the increasing digitization of business.

Our go-to-market strategy is focused on selling our cloud content management platform as a solution for the entire enterprise with the full set of Box capabilities, leveraging our product suite offerings, and driving high-value significant business outcomes for our customers. This strategy combines top-down, high-touch sales efforts with end-user-driven bottoms-up adoption. We focus our efforts on larger enterprises, capitalizing on international growth, and utilizing our partner ecosystem, where most advantageous. Our sales representatives engage in direct interaction with IT decision makers including CEOs, CIOs, CISOs, IT directors and line of business department heads. We also field inbound inquiries and online sales opportunities. We further expand our market reach by leveraging a network of our channel partners that is comprised of value-added resellers and systems integrators as well as our own consulting services. We offer individuals a free basic version of Box that allows them to experience first-hand our easy-to-use and secure solution. Use of the Box offering often spreads virally within and across organizations, as users adopt Box and invite new users to collaborate. In addition, an organization will frequently purchase Box for one use case and then later expand its deployment to other use cases with larger groups of employees leading to deeper engagement with our service. Our solution selling strategy is focused on ensuring that new and existing customers see the full use-cases and possibilities with our cloud content management platform and the significant business outcomes.

We are building a rich technology partner ecosystem around Box. We offer nearly 1,500 integrations with partners including Microsoft, IBM, Salesforce.com, Apple, Google, Slack, Adobe, Palo Alto Networks, Okta, Zoom and others, giving our users easy access to their content in Box without leaving these applications. In addition, in-house enterprise developers and independent software developers can rapidly build and provision new applications that leverage and extend the core functionality of our services, increasingly with a focus on specific industries and vertical market use cases. To date, tens of thousands of third-party developers have leveraged our platform as the secure content layer for their applications.

We are committed to powering how the world does more good together. Box.org mobilizes our technology, talent, partners and institutional assets to enable nonprofits to innovate and fulfill their missions. Founded in 2014, Box.org now serves over 9,000 nonprofits with donated or discounted Box access, employee volunteer hours and cash grants from the Box.org Fund.

5

---

The Box Solution

We offer web, mobile and desktop applications for cloud content management on a platform for developing custom applications, and a series of industry-specific capabilities. Box features and functionality include the following:

6

---

7

---

Customers

Our user base included over 70.6 million registered users as of January 31, 2020. We define a registered user as a Box account that has been provisioned a unique user identification number. As of January 31, 2020, approximately 81% of our registered users were non-paying users who independently registered for accounts (in many cases to enable them to collaborate securely with our paying enterprise user base) and approximately 19% of our registered users were paying users who registered as part of a larger enterprise or business account or by using a paid personal account.

As of January 31, 2020, we had over 97,000 paying organizations, and our solution was offered in 24 languages. We define paying organizations as separate and distinct buying entities, such as a company, an educational or government institution, or a distinct business unit of a large corporation, that have entered into a subscription agreement with us to utilize our services. Organizations typically purchase our solution in the following ways: (i) employees in one or more small groups within the organization may individually purchase our service; (ii) organizations may purchase IT-sponsored, enterprise-level agreements with deployments for specific, targeted use cases ranging from tens to thousands of user seats; (iii) organizations may purchase IT-sponsored, enterprise-level agreements where the number of user seats sold is intended to accommodate and enable nearly all information workers within the organization in whatever use cases they desire to adopt over the term of the subscription; and (iv) organizations may purchase our Box Platform service to create custom business applications for their internal use and extended ecosystem of customers, suppliers and partners.

We have developed several programs designed to provide customers with service options to quickly get them up and running and enhance their usage of our cloud content management platform. These services include 24x7 support provided by our Customer Success Management group and certain resellers; a professional services ecosystem that consists of our Box Consulting team and system integrators that help customers implement cloud content management oriented use cases; a Customer Success Management group to assist customers in production; and an online community with self-service training materials, best practice guides and product documentation.

One reseller, which is also a customer, represented 10% of our revenue in the year ended January 31, 2020. Our geographic revenue and segment information is set forth in Notes 2 and 14, respectively, of our Notes to Consolidated Financial Statements included in Part II, Item 8 of this Annual Report on Form 10-K.

Sales and Marketing

We offer our solution to our customers as a subscription-based service, with subscription fees based on the requirements of our customers, including the number of users and functionality deployed. The majority of our customers subscribe to our service through one-year contracts, although we also offer our services for terms ranging from one month to three years or more. We typically invoice our customers at the beginning of the term, in multiyear, annual, quarterly or monthly installments. We recognize revenue when, or as we, satisfy a performance obligation. Accordingly, due to our subscription model, we recognize revenue for our subscription and premier services ratably over the term of the contract.

We employ a direct sales team to offer a higher touch experience. We also make it easy for users and organizations to subscribe to paid versions of our service on our self-service web portal. Our sales team is composed of inside sales, outbound sales and field sales personnel who are generally organized by account size and geography, and/or major industry focus. We also have a rich ecosystem of channel partners who expand our reach to both large and small enterprises.

We generate customer leads, accelerate sales opportunities and build brand awareness through our marketing programs and through our strategic relationships. Our marketing programs target senior IT leaders, technology professionals and senior line of business leaders.

As a core part of our strategy, we have developed an ecosystem of partners to both broaden and complement our application offerings and to provide a broad array of services that fall outside of Box’s areas of focus. These relationships include software and technology partners, as well as consulting and implementation services providers that enable Box to address a broader set of use cases for our customers.

Sales and marketing expenses were $317.6 million, $312.2 million and $303.3 million for the years ended January 31, 2020, 2019 and 2018, respectively.

8

---

Research and Development

Our ability to compete depends in large part on our continuous commitment to product development and our ability to rapidly introduce new applications, technologies, features and functionality. In simple conceptual form, we provide a product that allows organizations to securely manage, share and collaborate on files. In practice, we develop and maintain a set of sophisticated software services (e.g., search, share, secure, convert/view, logging) around corporate content. These services, which comprise our platform, are used to develop our own applications (e.g., sync, desktop, web, native mobile) and also support the development of third-party applications.

Our product development organization is responsible for the specification, design, development and testing of our platform and applications. We focus our efforts on improving the usability, security, reliability, performance and flexibility of the services in our platform. We strive to continually improve our applications so that they help users and teams become more productive in their day-to-day work.

Research and development expenses were $199.8 million, $163.8 million and $136.8 million for the years ended January 31, 2020, 2019 and 2018, respectively.

Competition

The cloud content management market is large, highly competitive and highly fragmented. It is subject to rapidly evolving technology, shifting customer needs and frequent introductions of new products and services. We face competition from a broad spectrum of technology providers: traditional cloud content management vendors who deploy on-premise and offer deep records management, business process workflow, and archival capabilities; newer mobile enterprise vendors who are beginning to enter the content collaboration market; vendors whose core competency is simple file sync and share, which can be deployed on-premise, hybrid, or via a SaaS delivery model; and social collaboration vendors who focus on the conversations that occur between teams are adding adjacent content capabilities onto an existing product, or serve a particular business or industry use case. Our primary competitors in the cloud content management market include, but are not limited to, Microsoft and Open Text (Documentum). In the enterprise file sync and share market, our primary competitors include, but are not limited to, Microsoft, Google and, to a lesser extent, Dropbox.

We may face future competition in our markets from other large, established companies, as well as from smaller specialized companies. In addition, we expect continued consolidation in our industry which could adversely alter the competitive dynamics of our markets including both pricing and our ability to compete successfully for customers.

The principal competitive factors in our market include:

9

---

We believe that we compete favorably on the basis of these factors. Our ability to remain competitive will depend to a great extent upon our ongoing performance in the areas of product development, core technical innovation, platform and partner ecosystem, and customer support. In addition, many of our competitors, particularly the large software companies named above, may have greater name recognition, longer operating histories, larger marketing budgets, significantly greater resources and established relationships with our partners and customers, which can give them advantageous positioning for their products despite other competitive merits of respective product features and functionality. Some competitors may be able to devote greater resources to the development, promotion and sale of their products than we can to ours, which could allow them to respond more quickly than we can to new technologies and changes in customer needs.

Intellectual Property

We rely on a combination of trade secrets, patents, copyrights and trademarks, as well as contractual protections, to establish and protect our intellectual property rights. As of January 31, 2020, our patents were set to expire between 2028 and 2038. We intend to pursue additional patent protection to the extent that we believe it would be beneficial and cost effective.

We require our employees, contractors, consultants and other third parties to enter into confidentiality and proprietary rights agreements and control access to software, documentation and other proprietary information. Although we rely on intellectual property rights, including trade secrets, patents, copyrights and trademarks, as well as contractual protections, to establish and protect our proprietary rights, we believe that factors such as the technological and creative skills of our personnel, creation of new modules, features and functionality, and frequent enhancements to our applications are more essential to establishing and maintaining our technology leadership position.

Despite our efforts to protect our proprietary technology and our intellectual property rights, unauthorized parties may attempt to copy or obtain and use our technology to develop applications with the same functionality as our services. Policing unauthorized use of our technology and intellectual property rights on a global basis is difficult.

We expect that software and other applications in our industry may be subject to third-party infringement claims as the number of competitors grows and the functionality of applications in different industry segments overlaps. Any of these third parties might make a claim of infringement against us at any time.

 

Backlog

We generally sign annual and multiple-year subscription contracts for our cloud content management services. The frequency of our invoices to each customer is negotiated and varies among our subscription contracts. We continued to focus on annual payment frequencies for multi-year contracts in the twelve months ended January 31, 2020. As a result, for multi-year contracts, we frequently invoice an initial amount at contract signing followed by subsequent annual invoices. Until amounts are invoiced, they are typically not recorded in revenue, deferred revenue, billings or elsewhere in our consolidated financial statements other than disclosed as part of remaining performance obligations. To the extent future invoicing is determined to be certain, we consider such future subscription invoices to be non-cancellable backlog, which is disclosed as part of remaining performance obligations. Future invoicing is determined to be certain when we have an executed non-cancellable contract or a significant penalty is due upon cancellation, and invoicing is not dependent on a future event such as the delivery of a specific new product or feature, or the achievement of contractual contingencies. We had $353.4 million and $311.4 million of non-cancellable backlog as of January 31, 2020 and 2019, respectively. The increase of non-cancellable backlog as of January 31, 2020 was primarily driven by the addition of new customers, expansion within existing customers as they broaden their deployment of our product offerings, and the timing of customer driven renewals.

10

---

We expect that the amount of backlog relative to the total value of our contracts will change from year to year due to several factors, including the timing and duration of customer subscription agreements, varying price, volume, and invoicing cycles of subscription contracts, the timing of customer regularly scheduled renewals, and foreign currency fluctuations. Accordingly, we believe that fluctuations in backlog are not always a reliable indicator of future revenue and we do not utilize backlog as a key management metric internally.

Employees

As of January 31, 2020, we had 2,046 employees. None of our employees are represented by a labor union. We have not experienced any work stoppages, and we consider our relations with our employees to be very good.

Corporate Information

Our principal executive offices are located at 900 Jefferson Ave., Redwood City, California 94063, and our telephone number is (877) 729-4269. Our website address is www.box.com, and our investor relations website is located at www.box.com/investors. The information on, or that can be accessed through, our website is not part of this Annual Report on Form 10-K. We were incorporated in 2005 as Box.Net, Inc., a Washington corporation, and later reincorporated in 2008 under the same name as a Delaware corporation. In November 2011, we changed our name to Box, Inc. The Box design logo, “Box” and our other registered and common law trade names, trademarks and service marks are the property of Box, Inc. Other trademarks, service marks, or trade names appearing in this Annual Report on Form 10-K are the property of their respective owners.

Available Information

We file annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to reports filed or furnished pursuant to Sections 13(a) and 15(d) of the Securities Exchange Act of 1934, as amended. The SEC maintains a website at www.sec.gov that contains reports, proxy and information statements and other information that we file with the SEC electronically. Copies of our reports on Form 10-K, Forms 10-Q, Forms 8-K, and amendments to those reports may also be obtained, free of charge, electronically through our investor relations website located at www.box.com/investors as soon as reasonably practical after we file such material with, or furnish it to, the SEC.

We also use our investor relations website as a channel of distribution for important company information. Important information, including press releases, analyst presentations and financial information regarding us, as well as corporate governance information, is routinely posted and accessible on certain Twitter accounts, such as @box, @levie and @boxincir. Information on, or that can be accessed through, our websites or these Twitter accounts is not part of this Annual Report on Form 10-K, and the inclusion of our website addresses and Twitter accounts are inactive textual references only.

11

---

Item 1A. RISK FACTORS

Investing in our Class A common stock involves a high degree of risk. You should carefully consider the risks and uncertainties described below, together with all of the other information in this Annual Report on Form 10-K, including in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations” and our consolidated financial statements and related notes, before making a decision to invest in our Class A common stock. If any of the risks actually occur, our business, financial condition, operating results and prospects could be materially and adversely affected. In that event, the market price of our Class A common stock could decline, and you could lose part or all of your investment.

Risks Related to Our Business and Our Industry

We have a history of cumulative losses, and we do not expect to be profitable for the near future.

We have incurred significant losses in each period since our inception in 2005. We incurred net losses of $144.3 million, $134.6 million and $155.0 million in our fiscal years ended January 31, 2020, 2019 and 2018, respectively. As of January 31, 2020, we had an accumulated deficit of $1.3 billion. These losses and accumulated deficit reflect the substantial investments we made to acquire new customers and develop our services. We intend to continue scaling our business to increase our number of users and paying organizations and to meet the increasingly complex needs of our customers. We have invested, and expect to continue to invest, in our sales and marketing organizations to sell our services around the world and in our product development organization to deliver additional features and capabilities of our cloud services to address our customers’ evolving needs. We also expect to continue to make significant investments in our infrastructure and in our professional service organization as we focus on customer success. As a result of our continuing investments to scale our business in each of these areas, we do not expect to be profitable for the near future. Furthermore, to the extent we are successful in increasing our customer base, we will also incur increased losses due to upfront costs associated with acquiring new customers, including as a result of the limited free trial version of our service, and the nature of subscription revenue, which is generally recognized ratably over the term of the subscription period, which is typically one year, although we also offer our services for terms ranging from one month to three years or more. We cannot assure you that we will achieve profitability in the future or that, if we do become profitable, we will sustain profitability.

The market in which we participate is intensely competitive, and if we do not compete effectively, our operating results could be harmed.

The market for cloud content management services is fragmented, rapidly evolving and highly competitive, with relatively low barriers to entry for certain applications and services. Many of our competitors and potential competitors are larger and have greater brand recognition, substantially longer operating histories, larger marketing budgets and significantly greater resources than we do. Our primary competitors in the cloud content management market include, but are not limited to, Microsoft and Open Text (Documentum). In the enterprise file sync and share market, our primary competitors include, but are not limited to, Microsoft, Google and, to a lesser extent, Dropbox. With the introduction of new technologies and market entrants, we expect competition to continue to intensify in the future. If we fail to compete effectively, our business will be harmed. Some of our principal competitors offer their products or services at a lower price or for free, which has resulted in pricing pressures on our business. If we are unable to achieve our target pricing levels, our operating results would be negatively impacted. In addition, pricing pressures and increased competition generally could result in reduced sales, lower margins, losses or the failure of our services to achieve or maintain widespread market acceptance, any of which could harm our business.

Many of our competitors are able to devote greater resources to the development, promotion and sale of their products or services. In addition, many of our competitors have established marketing relationships and major distribution agreements with channel partners, consultants, system integrators and resellers. Moreover, many software vendors could bundle products or offer them at lower prices as part of a broader product sale or enterprise license arrangement. Some competitors may offer products or services that address one or a number of business execution functions at lower prices or with greater depth than our services. Our competitors may be able to respond more quickly and effectively to new or changing opportunities, technologies, standards or customer requirements. Furthermore, some potential customers, particularly large enterprises, may elect to develop their own internal solutions. For any of these reasons, we may not be able to compete successfully against our current and future competitors.

12

---

If the market for cloud-based enterprise services declines or develops more slowly than we expect, our business could be adversely affected.

The market for cloud-based enterprise services is not as mature as the on-premise enterprise software market. Because we derive, and expect to continue to derive, substantially all of our revenue and cash flows from sales of our cloud content management solutions, our success will depend to a substantial extent on the widespread adoption of cloud computing in general and of cloud-based content management services in particular. Many organizations have invested substantial personnel and financial resources to integrate traditional enterprise software into their organizations and, therefore, may be reluctant or unwilling to migrate to a cloud-based model for storing, accessing, sharing and managing their content. It is difficult to predict customer adoption rates and demand for our services, the future growth rate and size of the cloud computing market or the entry of competitive services. The expansion of the cloud content management market depends on a number of factors, including the cost, performance and perceived value associated with cloud computing, as well as the ability of companies that provide cloud-based services to address security and privacy concerns. If we or other providers of cloud-based services experience security incidents, loss or corruption of customer data, disruptions in delivery of services, network outages, disruptions in the availability of the internet or other problems, the market for cloud-based services as a whole, including our services, may be negatively affected. If there is a reduction in demand for cloud-based services caused by a lack of customer acceptance, technological challenges, weakening economic or political conditions, security or privacy concerns, competing technologies and products, decreases in corporate spending or otherwise, it could result in decreased revenue, harm our growth rates, and adversely affect our business and operating results.

Our business depends substantially on customers renewing their subscriptions with us and expanding their use of our services. Any decline in our customer renewals or failure to convince our customers to broaden their use of our services would harm our future operating results.

In order for us to maintain or improve our operating results, it is important that our customers renew their subscriptions with us when their existing subscription term expires. Our customers have no obligation to renew their subscriptions upon expiration, and we cannot assure you that customers will renew subscriptions at the same or higher level of service, if at all. Although our retention rate remains high, it has decreased over time, and may continue to decrease in the future, as some of our customers have elected and may elect not to renew their subscriptions with us or to decrease the scope of their deployments. For example, our retention rate was approximately 104% as of January 31, 2020, compared to 108% as of January 31, 2019.

Our retention rate may decline or fluctuate as a result of a number of factors, including our customers’ satisfaction or dissatisfaction with our services, the effectiveness of our customer support services, the performance of our partners and resellers, our pricing, the prices of competing products or services, mergers and acquisitions affecting our customer base, the effects of global economic conditions or reductions in our customers’ spending levels. If our customers do not renew their subscriptions, purchase fewer seats, renew them on less favorable terms or fail to purchase new product offerings, our revenue may decline, and we may not realize improved operating results from our customer base.

In addition, the growth of our business depends in part on our customers expanding their use of our services. The use of our cloud content management platform often expands within an organization as new users are added or as additional services are purchased by or for other departments within an organization. Further, as we have introduced new services throughout our operating history, our existing customers have constituted a significant portion of the users of such services. If we are unable to encourage our customers to broaden their use of our services, our operating results may be adversely affected.

13

---

If we are not able to successfully launch new products and services, or provide enhancements or modifications to our existing products and services, our business could be adversely affected.

Our industry is marked by rapid technological developments and new and enhanced applications and services. If we are unable to provide enhancements and new features for our existing services or offer new services that achieve market acceptance or that keep pace with rapid technological developments, our business could be adversely affected. For example, we provide Box Platform, which allows our customers to leverage Box’s powerful content services within their own custom applications; Box KeySafe, a solution that builds on top of Box’s strong encryption and security capabilities to give customers greater control over the encryption keys used to secure the file contents that are stored with Box; Box Zones, which gives global customers the ability to store their data locally in certain regions; Box Governance, which gives customers a better way to comply with regulatory policies, satisfy e-discovery requests and effectively manage sensitive business information; and Box Skills, which enables customers to leverage a variety of machine learning tools to accelerate their business processes and help extract meaning from customers unstructured content. In June 2019, we launched the all new Box Relay, which provides our customers with powerful workflow automation tools to improve business processes. In addition, in October 2019 we launched Box Shield, a set of new content security controls and intelligent threat detection capabilities that enables enterprises to secure and protect their most valuable intellectual property and help prevent accidental data leakage, detect potential access misuse and proactively identify potential security threats. The success of any new products and services, enhancements, or modifications to existing products and services depends on several factors, including the timely completion, introduction and market acceptance of such enhancements, integrations, products or services. Failure in this regard may significantly impair our revenue growth and our future financial results. In addition, because our services are designed to operate on a variety of systems, we will need to continuously modify and enhance our services to keep pace with changes in internet-related hardware, mobile operating systems such as iOS and Android, and other software, communication, browser and database technologies. We may not be successful in either developing these modifications and enhancements or in bringing them to market in a timely fashion. Furthermore, modifications to existing platforms or technologies will increase our research and development expenses. Any failure of our services to operate effectively with existing or future network platforms and technologies could reduce the demand for our services, result in customer dissatisfaction and adversely affect our business.

Actual or perceived security vulnerabilities in our services or any breaches of our security controls and unauthorized access to our or a customer’s data could harm our business and operating results.

The services we offer involve the storage of large amounts of our customers’ sensitive and proprietary information across a broad spectrum of industries. Additionally, we collect and store certain sensitive and proprietary information in the operation of our business, including trade secrets, employee data, and other confidential data. Cyberattacks and other malicious internet-based activity continue to increase in frequency and in magnitude generally, and cloud-based content collaboration services have been targeted in the past. These increasing threats are being driven by a variety of sources including nation-state sponsored espionage and hacking activities, industrial espionage, organized crime, sophisticated organizations and hacking groups and individuals. These sources can also implement social engineering techniques to induce our partners, users, employees or customers to disclose passwords or other sensitive information or take other actions to gain access to our data or our users’ data. Hackers that acquire user account information at other companies can attempt to use that information to compromise the accounts of personnel, or our users’ accounts if an account shares the same sensitive information such as passwords. In addition, because the Box service is configured by administrators and users to select their default settings, the third-party integrations they enable, and their privacy and permissions settings, this may lead to an administrator or user intentionally or inadvertently configuring settings to share their sensitive data. For example, a Box user can choose to share the content they store in Box with third-parties by creating a link that can be customized to be accessible by anyone with the link. While this feature is designed to be used for a variety of legitimate use cases in which a user wishes to share non-sensitive content with a broad or public audience, if a user were to intentionally or inadvertently configure a setting that allowed public access to their sensitive data, that data could be discovered and accessed by an unintended third party. As we increase our customer base and our brand becomes more widely known and recognized, and as our service is used in more heavily regulated industries where there may be a greater concentration of sensitive and protected data, such as healthcare, government, life sciences, and financial services, we may become more of a target for these malicious third parties.  

14

---

If our security measures are or are believed to be inadequate or breached as a result of third-party action, employee negligence, error or malfeasance, product defects, social engineering techniques, improper user configuration or otherwise, and this results in, or is believed to result in, the disruption of the confidentiality, integrity or availability of our data or our customers’ data, we could incur significant liability to various parties, including our customers and to individuals or organizations whose information is being stored by our customers, and our business may suffer and our reputation or competitive position may be damaged. Given that our customers manage significant amounts of sensitive and proprietary information on our platform, and many of our customers are in heavily regulated industries where there may be a greater concentration of sensitive and protective data, our reputation and market position are particularly sensitive to impacts from actual or perceived security breaches or concerns regarding security. Techniques used to obtain unauthorized access to, or to sabotage, systems or networks, are constantly evolving and generally are not recognized until launched against a target. Therefore, we may be unable to anticipate these techniques, react in a timely manner, or implement adequate preventive measures, and we may face delays in our detection or remediation of, or other responses to, security breaches and other security-related incidents. We also expect to incur significant costs in an effort to detect and prevent security breaches and other security-related incidents, and we may face increased costs and requirements to expend substantial resources in the event of an actual or perceived security breach or other security-related incident. Additionally, our service providers may suffer, or be perceived to suffer, data security breaches or other incidents that may compromise data stored or processed for us that may give rise to any of the foregoing.

Our customer contracts often include (i) specific obligations that we maintain the availability of the customer’s data through our service and that we secure customer content against unauthorized access or loss, and (ii) provisions whereby we indemnify our customers for third-party claims asserted against them that result from our failure to maintain the availability of their content or securing the same from unauthorized access or loss. While our customer contracts contain limitations on our liability in connection with these obligations and indemnities, if an actual or perceived security breach occurs, the market perception of the effectiveness of our security measures could be harmed, we could be subject to indemnity or damage claims in certain customer contracts, and we could lose future sales and customers, any of which could harm our business and operating results. Furthermore, while our errors and omissions insurance policies include liability coverage for certain of these matters, if we experienced a widespread security breach or other incident that impacted a significant number of our customers to whom we owe indemnity obligations, we could be subject to indemnity claims or other damages that exceed our insurance coverage. We also cannot be certain that our insurance coverage will be adequate for data handling or data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.

Our sales to government entities are subject to a number of additional challenges and risks.

We sell to U.S. federal and state and foreign government customers, and we may increase sales to government entities in the future. Sales to government entities are subject to a number of additional challenges and risks. Selling to government entities can be highly competitive, expensive and time consuming, often requiring significant upfront time and expense without any assurance that these efforts will generate a sale. Government certification requirements may change, or we may lose one or more government certifications, and in doing so restrict our ability to sell into the government sector or maintain existing government customers until we have attained revised certifications. Government demand and payment for our products and services are affected by public sector budgetary cycles and funding authorizations, with funding reductions or delays adversely affecting public sector demand for our solutions. An extended federal government shutdown resulting from budgetary decisions may limit or delay federal government spending on our solutions and adversely affect our revenue. Government entities may also have statutory, contractual or other legal rights to terminate contracts with us for convenience or due to a default, and any such termination may adversely affect our future operating results.

15

---

As a substantial portion of our sales efforts are increasingly focused on cloud content management use cases and are targeted at enterprise and highly-regulated customers, our sales cycles may become longer and more expensive, we may encounter greater pricing pressure and implementation and customization challenges, and we may have to delay revenue recognition for more complicated transactions, all of which could harm our business and operating results.

As a substantial portion of our sales efforts are increasingly focused on cloud content management use cases and are targeted at enterprise and highly-regulated customers, we face greater costs, longer sales cycles and less predictability in the completion of some of our sales. In this market segment, the customer’s decision to use our services may be an enterprise-wide decision, in which case these types of sales require us to provide greater levels of customer education regarding the uses and benefits of our services, as well as education regarding security, privacy, and data protection laws and regulations, especially for those customers in more heavily regulated industries or those with significant international operations. In addition, larger enterprises may demand more customization, integration and support services, and features. As a result of these factors, these sales opportunities may require us to devote greater sales support and professional services resources to these customers, which could increase our costs, lengthen our sales cycle and leave fewer sales support and professional services resources for other customers. Professional services may also be performed by a third party or a combination of our own staff and a third party. Our strategy is to work with third parties to increase the breadth of capability and depth of capacity for delivery of these services to our customers. If a customer is not satisfied with the quality or interoperability of our services with their own IT environment, we could incur additional costs to address the situation, which could adversely affect our margins. Moreover, any customer dissatisfaction with our services could damage our ability to encourage broader adoption of our services by that customer. In addition, any negative publicity resulting from such situations, regardless of its accuracy, may further damage our business by affecting our ability to compete for new business with current and prospective customers.

Privacy concerns and laws or other domestic or foreign regulations may reduce the effectiveness of our services and harm our business.

Users can use our services to store identifying information or information that otherwise is considered personal information. Federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations regarding the collection, use and disclosure of personal information obtained from consumers and other individuals. Foreign data protection, privacy, consumer protection and other laws and regulations, particularly in Europe, are often more restrictive than those in the United States. The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to our business or the businesses of our customers may limit the use and adoption of our services and reduce overall demand for them.

These U.S. federal and state and foreign laws and regulations, which can be enforced by private parties or governmental entities, are constantly evolving and can be subject to significant change. A number of new laws coming into effect and/or proposals pending before federal, state and foreign legislative and regulatory bodies could affect our business. For example, the European Commission has enacted a General Data Protection Regulation (GDPR) that became effective in May 2018, superseding prior EU data protection legislation, imposing more stringent EU data protection requirements, and providing for greater penalties for noncompliance of up to the greater of 20 million euros or four percent of a company’s global revenue. The GDPR imposes significant obligations on companies regarding the handling of personal data. If we are unable to develop and offer services that meet our legal duties or help our customers meet their obligations under the GDPR or other laws or regulations relating to privacy, data protection, or information security, we may experience reduced demand for our services and become subject to significant fines and penalties, all of which would harm our business. Although U.S. and EU authorities reached agreement in 2016, regarding a means for legitimizing personal data transfers from the European Economic Area (EEA) to the United States under EU data protection law, the EU-U.S. Privacy Shield, it has faced legal challenges. It is unclear what effect these or any future challenges to the EU-U.S. Privacy Shield will have and whether it or the related Swiss-EU Privacy Shield will continue to function as an appropriate means for us to legitimize personal data transfers from the EEA or Switzerland to the U.S. Additionally, in 2018, the State of California enacted the California Consumer Privacy Act (CCPA), that became operative on January 1, 2020. The CCPA requires covered companies to, among other things, provide new disclosures to California consumers, and afford such consumers new abilities to opt-out of certain sales of personal information. The CCPA is the subject of proposed regulations issued by the California Attorney General in October 2019, but they have yet to be finalized. Aspects of the CCPA and its

16

---

interpretation and enforcement remain unclear. We cannot fully predict the impact of the CCPA on our business or operations, but it may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. There also have been a number of recent legislative proposals in the United States, at both the federal and state level, that would impose new obligations in areas such as privacy and liability for copyright infringement by third parties. In June 2016, the United Kingdom voted to leave the European Union, commonly referred to as “Brexit,” which resulted in the United Kingdom exiting the European Union on January 31, 2020. Brexit could also lead to further legislative and regulatory changes. The UK Data Protection Act that substantially implements the GDPR became law in May 2018, and was the subject of statutory amendments that further aligned it with the GDPR in 2019. It remains unclear, however, how United Kingdom data protection laws or regulations will develop in the medium to longer term and how data transfers to and from the United Kingdom will be regulated. In addition, some countries are considering or have enacted legislation requiring local storage and processing of data that could increase the cost and complexity of delivering our services.

These existing and proposed laws and regulations can be costly to comply with, can delay or impede the development or adoption of our products and services, reduce the overall demand for our products and services, increase our operating costs, require significant management time and attention, slow the pace at which we close (or prevent us from closing) sales transactions. Additionally, any actual or alleged noncompliance with these laws and regulations could result in negative publicity and subject us to investigations, claims or other remedies, including demands that we modify or cease existing business practices, and expose us to significant fines, penalties and other damages.

Furthermore, government agencies may seek to access sensitive information that our users upload to Box, or restrict users’ access to Box. Laws and regulations relating to government access and restrictions are evolving, and compliance with such laws and regulations could limit adoption of our services by users and create burdens on our business. Moreover, regulatory investigations into our compliance with privacy-related laws and regulations could increase our costs and divert management attention.

If we are not able to satisfy data protection, security, privacy, and other government- and industry-specific requirements, our growth could be harmed.

There are a number of data protection, security, privacy and other government- and industry-specific requirements, including those that require companies to notify individuals of data security incidents involving certain types of personal data. Security compromises experienced by our competitors, by our customers or by us may lead to public disclosures, which could harm our reputation, erode customer confidence in the effectiveness of our security measures, negatively impact our ability to attract new customers, or cause existing customers to elect not to renew their agreements with us. In addition, some of the industries we serve have industry-specific requirements relating to compliance with certain security and regulatory standards, such as GxP and FedRAMP, and those required by HIPAA, FINRA, and the HITECH Act. As we expand into new industry verticals and regions, we will likely need to comply with these and other new requirements to compete effectively. If we cannot adequately comply or if we incur a violation of one or more of these requirements, our growth could be adversely impacted, and we could incur significant liability and our reputation and business could be harmed.

Because we recognize revenue from subscriptions for our services over the term of the subscription, downturns or upturns in new business may not be immediately reflected in our operating results.

We generally recognize revenue from customers ratably over the terms of their subscription agreements, which are typically one year, although we also offer our services for terms ranging from one month to three years or more. As a result, most of the revenue we report in each quarter is the result of subscription agreements entered into during prior quarters. Consequently, a decline in new or renewed subscriptions in any one quarter may not be reflected in our revenue results for that quarter. However, any such decline will negatively affect our revenue in future quarters. Accordingly, the effect of significant downturns in sales, our failure to achieve our internal sales targets, a decline in the market acceptance of our services, or potential decreases in our retention rate may not be fully reflected in our operating results until future periods. Our subscription model also makes it difficult for us to rapidly increase our revenue through additional sales in any period, as revenue from additional sales must be recognized over the applicable subscription term.

17

---

Our platform must integrate with a variety of operating systems and software applications that are developed by others, and if we are unable to ensure that our solutions interoperate with such systems and applications, our service may become less competitive, and our operating results may be harmed.

We offer our services across a variety of operating systems and through the internet. We are dependent on the interoperability of our platform with third-party mobile devices, tablets, desktop and mobile operating systems, as well as web browsers that we do not control. Any changes in such systems, devices or web browsers that degrade the functionality of our services or give preferential treatment to competitive services could adversely affect usage of our services. In order for us to deliver high quality services, it is important that these services work well with a range of operating systems, networks, infrastructure, devices, web browsers and standards that we do not control. In addition, because a substantial number of our users access our services through mobile devices, we are particularly dependent on the interoperability of our services with mobile devices and mobile operating systems. We may not be successful in developing relationships with key participants in the mobile industry or in developing services that operate effectively with these operating systems, networks, infrastructure, devices, web browsers and standards. In the event that it is difficult for our users to access and use our services, our user growth may be harmed, and our business and operating results could be adversely affected.

If we are unable to attract new customers or expand deployments with existing customers at rates that are consistent with our expectations, our future revenue and operating results could be adversely impacted.

In order for us to improve our operating results and continue to grow our business, it is important that we continue to attract new customers and expand deployment of our solutions and products with existing customers. To the extent we are successful in increasing our customer base, we could incur increased losses because costs associated with new customers are generally incurred up front, while revenue is recognized ratably over the term of our subscription services. Alternatively, to the extent we are unsuccessful in increasing our customer base, we could also incur increased losses as costs associated with marketing programs and new products intended to attract new customers would not be offset by incremental revenue and cash flow. Furthermore, if our customers do not expand their deployment of our services or purchase new products from us, our revenue may grow more slowly than we expect. All of these factors could negatively impact our future revenue and operating results.

Our quarterly results may fluctuate significantly and may not fully reflect the underlying performance of our business.

Our quarterly operating results, including the levels of our revenue, billings, gross margin, profitability, cash flow, deferred revenue, unrecognized revenue and remaining performance obligations, may vary significantly in the future, and period-to-period comparisons of our operating results may not be meaningful. Accordingly, the results of any one quarter should not be relied upon as an indication of future performance. Our quarterly financial results may fluctuate as a result of a variety of factors, many of which are outside of our control and, as a result, may not fully reflect the underlying performance of our business. Fluctuations in quarterly results may negatively impact the value of our Class A common stock. Factors that may cause fluctuations in our quarterly financial results include, but are not limited to:

18

---

If we fail to effectively manage our technical operations infrastructure, our customers may experience service outages and delays in the deployment of our services, which may adversely affect our business.

We have experienced significant growth in the number of users and the amount of data that our operations infrastructure supports. We seek to maintain sufficient excess capacity in our operations infrastructure to meet the needs of all of our customers. We also seek to maintain excess capacity to facilitate the rapid provisioning of new customer deployments and the expansion of existing customer deployments. In addition, we need to properly manage our technological operations infrastructure in order to support version control, changes in hardware and software parameters and the evolution of our services. However, the provision of new hosting infrastructure requires significant lead-time. We have experienced, and may in the future experience, website disruptions, incidents of data corruption, service outages and other performance problems. These problems may be caused by a variety of factors, including infrastructure changes, changes to our core services architecture, changes to our infrastructure necessitated by legal and compliance requirements governing the storage and transmission of data, human or software errors, viruses, security attacks, fraud, spikes in customer usage, primary and redundant hardware or connectivity failures, dependent data center and other service provider failures and denial of service issues. In some instances, we may not be able to identify the cause or causes of these performance problems within an acceptable period of time, which may harm our reputation and operating results. Furthermore, if we encounter any of these problems in the future, our customers may lose access to important data or experience data corruption or service outages that may subject us to financial penalties, other liabilities and customer losses. If our operations infrastructure fails to keep pace with increased sales, customers may experience delays as we seek to obtain additional capacity, which could adversely affect our reputation and our business.

Interruptions or delays in service from our third-party data center hosting facilities and cloud computing and hosting providers could impair the delivery of our services and harm our business.

We currently store and process our customers’ information within multiple third-party data center hosting facilities located in Nevada and in third-party cloud computing and hosting facilities inside and outside of the United States. As part of our current disaster recovery arrangements, our production environment and metadata related to our customers’ data is currently replicated in near real time in facilities located in Nevada. In addition, all of our customers’ data is typically replicated on a third-party storage platform located inside and outside of the United States. These facilities may be located in areas prone to natural disasters and may experience events such as earthquakes, floods, fires, power loss, telecommunications failures and similar events. They may also be subject to break-ins, sabotage, intentional acts of vandalism, cyber-attacks and similar misconduct, including by state-sponsored or otherwise well-funded actors. Any damage to, or failure of, our systems generally, or those of the third-party cloud computing and hosting providers, could result in interruptions in our service. Interruptions in our service may reduce our revenue, cause us to issue credits or pay penalties, cause customers to terminate their subscriptions and adversely affect our renewal rate and our ability to attract new customers. In addition, we may not

19

---

have adequate insurance coverage to compensate for losses from a major interruption. Our business will also be harmed if our customers and potential customers believe our service is unreliable. Despite precautions taken at these facilities, the occurrence of natural or man-made disasters, security issues (including an act of terrorism or an armed conflict), certain geopolitical events, labor or trade disputes, a decision to close the facilities without adequate notice or other unanticipated problems at these facilities could result in lengthy interruptions in our service or cause us to not comply with certification requirements. Even with the disaster recovery arrangements, we have never performed a full live failover of our services and, in an actual disaster, we could learn our recovery arrangements are not sufficient to address all possible scenarios and our service could be interrupted for a longer period than expected. For example, in September 2019, a modification to a perimeter network configuration caused an internal routing problem which led to all Box services being temporarily unavailable. As we continue to add data centers, increase our dependence on third-party cloud computing and hosting providers, and add capacity in our existing data centers, we may move or transfer our data and our customers’ data. In particular, as part of our hybrid cloud infrastructure strategy, we are in the process of migrating our primary data centers to significantly lower cost regions in order to continue to optimize infrastructure efficiency and to support the growth in our paying customers. Despite precautions taken during any of these data center moves and data transfers, any unsuccessful data transfers may impair the delivery of our service and could materially and adversely disrupt our operations and our service delivery to our customers, which could result in contractual penalties or damage claims from customers. In addition, changes to our data center infrastructure could occur over a period longer than planned, could require greater than expected investment and other internal and external resources and could cause us to incur increased costs as we operate multiple data center facilities. It may also take longer to realize the intended favorable benefits from any data center infrastructure migrations and improvements than expected, and disruptions or unexpected costs may continue to occur while we enhance our data center infrastructure.

Our business is subject to the risks of natural disasters, pandemics and other catastrophic events.

The occurrence of any catastrophic event, including a pandemic (such as that related to COVID-19), earthquake, fire, flood, tsunami, or other weather event, power loss, telecommunications failure, software or hardware malfunctions, cyber-attack, war, or terrorist attack, could result in lengthy interruptions in our service. Our corporate headquarters is located in the San Francisco Bay Area, a region known for seismic activity. Our insurance coverage may not compensate us for losses that may occur in the event of an earthquake or other significant natural disaster. In addition, pandemics, acts of terrorism or war could cause disruptions to the Internet or the economy as a whole, which could have a significant impact on our business and operating results. For example, the recent coronavirus (COVID-19) outbreak, which has been declared a pandemic by the World Health Organization, could disrupt or have a material adverse effect on our business or the business of our partners and customers. The extent to which the coronavirus (COVID-19) outbreak impacts our business, results of operations and financial condition will depend on future developments, which are highly uncertain and cannot be predicted. In addition, a health epidemic could adversely affect the economies of many countries, resulting in an economic downturn that could affect demand for our services and likely impact our operating results. Even with our disaster recovery arrangements, our services could be interrupted. Our partners, suppliers, and customers are also subject to the risk of catastrophic events. In those events, our ability to deliver our services in a timely manner, as well as the demand for our services, may be adversely impacted by factors outside our control.  If our systems were to fail or be negatively impacted as a result of a natural disaster, pandemic or other catastrophic event, our ability to deliver our services to our customers would be impaired, we could lose critical data, our reputation could suffer and we could be subject to contractual penalties.

If we overestimate or underestimate our data center capacity requirements, our operating results could be adversely affected.

Only a small percentage of our customers that are organizations currently use our service as a way to organize all of their internal files. In particular, larger organizations and enterprises typically use our service to connect people and their most important information so that they are able to get work done more efficiently. However, over time, we may experience an increase in customers that look to Box as their complete cloud content management solution. The costs associated with leasing and maintaining our data centers already constitute a significant portion of our capital and operating expenses. We continuously evaluate our short- and long-term data center capacity requirements to ensure adequate capacity for new and existing customers while minimizing unnecessary excess capacity costs. If we overestimate the demand for our cloud content management services and therefore secure

20

---

excess data center capacity, or if we are unable to meet our contractual minimum commitments, our operating margins could be reduced. If we underestimate our data center capacity requirements, we may not be able to service the expanding needs of new and existing customers and may be required to limit new customer acquisition, which would impair our revenue growth. Furthermore, regardless of our ability to appropriately manage our data center capacity requirements, an increase in the number of organizations, in particular large businesses and enterprises, that use our service as a larger component of their content storage requirements, could result in lower gross and operating margins or otherwise have an adverse impact on our financial condition and operating results.

We depend on highly skilled personnel to grow and operate our business, and if we are unable to hire, retain and motivate our personnel, we may not be able to grow effectively.

Our future success depends upon our continued ability to identify, hire, develop, motivate and retain highly skilled personnel, representing diverse backgrounds, experiences, and skill sets, including senior management, engineers, designers, product managers, sales representatives, and customer support representatives. Our ability to execute efficiently is dependent upon contributions from our employees, including our senior management team and, in particular, Aaron Levie, our co-founder, Chairman and Chief Executive Officer. In addition, occasionally, there may be changes in our senior management team that may be disruptive to our business. If our senior management team, including any new hires that we may make, fails to work together effectively and to execute on our plans and strategies on a timely basis, our business could be harmed.

Our growth strategy also depends on our ability to expand our organization with highly skilled personnel. Identifying, recruiting, training and integrating qualified individuals will require significant time, expense and attention. In addition to hiring new employees, we must continue to focus on retaining our best employees, as well as a diverse and inclusive work environment that enables all of our employees to prosper. Competition for highly skilled personnel is intense, particularly in the San Francisco Bay Area, where our headquarters is located. We may need to invest significant amounts of cash and equity to attract and retain new employees, and we may never realize returns on these investments. Changes to U.S. immigration and work authorization laws and regulations, including those that restrain the flow of technical and professional talent, can be significantly affected by political forces and levels of economic activity. Our international expansion and our business in general may be materially adversely affected if legislative or administrative changes to immigration or visa laws and regulations impair our hiring processes and goals or projects involving personnel who are not citizens of the country where the work is to be performed.

If we are not able to effectively add and retain employees, our ability to achieve our strategic objectives will be adversely impacted, and our business will be harmed.

We may be sued by third parties for alleged infringement of their proprietary rights.

There is considerable patent and other intellectual property development activity in our industry. Our success depends on our not infringing upon the valid intellectual property rights of others. Our competitors, as well as a number of other entities, including non-practicing entities, and individuals, may own or claim to own intellectual property relating to our industry.

From time to time, certain other third parties have claimed that we are infringing upon their intellectual property rights, and we may be found to be infringing upon such rights. In addition, we cannot assure you that actions by other third parties alleging infringement by us of third-party patents will not be asserted or prosecuted against us. In the future, others may claim that our services and underlying technology infringe or violate their intellectual property rights. However, we may be unaware of the intellectual property rights that others may claim cover some or all of our technology or services. Any claims or litigation could cause us to incur significant expenses and, if successfully asserted against us, could require that we pay substantial damages or ongoing royalty payments, prevent us from offering our services, or require that we comply with other unfavorable terms. We may also be obligated to indemnify our customers or business partners or pay substantial settlement costs, including royalty payments, in connection with any such claim or litigation and to obtain licenses, modify services, or refund fees, which could be costly. Even if we were to prevail in such a dispute, any litigation regarding our intellectual property could be costly and time consuming and divert the attention of our management and key personnel from our business operations. During the course of any litigation, we may make announcements regarding the results of hearings and motions, and other interim developments. If securities analysts or investors regard these announcements as negative, the market price of our Class A common stock may decline.

21

---

Any failure to protect our intellectual property rights could impair our ability to protect our proprietary technology and our brand.

Our success and ability to compete depend in part on our intellectual property. We primarily rely on copyright, trade secret and trademark laws, trade secret protection and confidentiality or license agreements with our employees, customers, partners and others to protect our intellectual property rights. However, the steps we take to protect our intellectual property rights may be inadequate. We may not be able to obtain any further patents, and our pending applications may not result in the issuance of patents. We may also have to expend significant resources to obtain additional patents as we expand our international operations.

In order to protect our intellectual property rights, we may be required to spend significant resources to monitor and protect these rights. Litigation brought to protect and enforce our intellectual property rights could be costly, time-consuming and distracting to management and may result in the impairment or loss of portions of our intellectual property. Furthermore, our efforts to enforce our intellectual property rights may be met with defenses, counterclaims and countersuits attacking the validity and enforceability of our intellectual property rights. Accordingly, we may not be able to prevent third parties from infringing upon or misappropriating our intellectual property. Our failure to secure, protect and enforce our intellectual property rights could materially adversely affect our brand and adversely impact our business.

Our services contain open source software, and we license some of our software through open source projects, which may pose particular risks to our proprietary software, products, and services in a manner that could have a negative impact on our business.

We use open source software in our services and will use open source software in the future. In addition, we regularly contribute software source code to open source projects under open source licenses or release internal software projects under open source licenses, and anticipate doing so in the future. The terms of many open source licenses to which we are subject have not been interpreted by U.S. or foreign courts, and there is a risk that open source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to provide or distribute our services. Additionally, we may from time to time face claims from third parties claiming ownership of, or demanding release of, the open source software or derivative works that we developed using such software, which could include our proprietary source code, or otherwise seeking to enforce the terms of the applicable open source license. These claims could result in litigation and could require us to make our software source code freely available, purchase a costly license or cease offering the implicated services unless and until we can re-engineer them to avoid infringement. This re-engineering process could require significant additional research and development resources, and we may not be able to complete it successfully. In addition to risks related to license requirements, use of certain open source software can lead to greater risks than use of third-party commercial software, as open source code may contain bugs or other defects and open source licensors generally do not provide warranties or controls on the functionality or origin of software. Additionally, because any software source code we contribute to open source projects is publicly available, our ability to protect our intellectual property rights with respect to such software source code may be limited or lost entirely, and we are unable to prevent our competitors or others from using such contributed software source code. Any of these risks could be difficult to eliminate or manage, and, if not addressed, could have a negative effect on our business, financial condition and operating results.

We rely on third parties for certain financial and operational services essential to our ability to manage our business. A failure or disruption in these services could materially and adversely affect our ability to manage our business effectively.

We rely on third parties for certain essential financial and operational services. Traditionally, the vast majority of these services have been provided by large enterprise software vendors who license their software to customers. However, we receive many of these services on a subscription basis from various software-as-a-service companies that are smaller and have shorter operating histories than traditional software vendors. Moreover, these vendors provide their services to us via a cloud-based model instead of software that is installed on our premises. We depend upon these vendors to provide us with services that are always available and are free of errors or defects that could cause disruptions in our business processes, and any failure by these vendors to do so, or any disruptions in networks or the availability of the internet, would adversely affect our ability to operate and manage our operations.

22

---

We are subject to governmental export controls that could impair our ability to compete in international markets due to licensing requirements and economic sanctions programs that subject us to liability if we are not in full compliance with applicable laws.

Certain of our services are subject to export controls, including the U.S. Department of Commerce’s Export Administration Regulations and various economic and trade sanction regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Controls. The provision of our products and services must comply with these laws. The U.S. export control laws and U.S. economic sanctions laws include prohibitions on the sale or supply of certain products and services to U.S. embargoed or sanctioned countries, governments, persons and entities and also require authorization for the export of encryption items. In addition, various countries regulate the import of certain encryption technology, including through import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our services or could limit our customers’ ability to implement our services in those countries.

Although we take precautions to prevent our services from being provided in violation of such laws, our solutions may have been in the past, and could in the future be, provided inadvertently in violation of such laws, despite the precautions we take. If we fail to comply with these laws, we and our employees could be subject to civil or criminal penalties, including the possible loss of export privileges, monetary penalties, and, in extreme cases, imprisonment of responsible employees for knowing and willful violations of these laws. We may also be adversely affected through penalties, reputational harm, loss of access to certain markets, or otherwise.

Changes in tariffs, sanctions, international treaties, export/import laws and other trade restrictions or trade disputes may delay the introduction and sale of our services in international markets, prevent our customers with international operations from deploying our services or, in some cases, prevent the export or import of our services to certain countries, governments, persons or entities altogether. Any change in export or import regulations, economic sanctions or related laws, shift in the enforcement or scope of existing regulations, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our services, or in our decreased ability to export or sell our services to existing or potential customers with international operations. Any decrease in the use of our services or limitation on our ability to export or sell our services would likely adversely affect our business, financial condition and operating results.

We provide service level commitments under our subscription agreements. If we fail to meet these contractual commitments, we could be obligated to provide credits or refunds for prepaid amounts related to unused subscription services or face subscription terminations, which could adversely affect our revenue. Furthermore, any failure in our delivery of high-quality customer support services may adversely affect our relationships with our customers and our financial results.

Our subscription agreements with customers provide certain service level commitments. If we are unable to meet the stated service level commitments or suffer periods of downtime that exceed the periods allowed under our customer agreements, we may be obligated to provide these customers with service credits which could significantly impact our revenue in the period in which the downtime occurs and the credits could be due. For example, in September 2019, a modification to a perimeter network configuration caused an internal routing problem which led to all Box services being temporarily unavailable. We could also face subscription terminations, which could significantly impact both our current and future revenue. Any extended service outages could also adversely affect our reputation, which would also impact our future revenue and operating results.

Our customers depend on our customer success organization to resolve technical issues relating to our services. We may be unable to respond quickly enough to accommodate short-term increases in customer demand for support services. Increased customer demand for these services, without corresponding revenue, could increase costs and adversely affect our operating results. In addition, our sales process is highly dependent on the ease of use of our services, on our reputation and on positive recommendations from our existing customers. Any failure to maintain high-quality customer support, or a market perception that we do not maintain high-quality support, could adversely affect our reputation and our ability to sell our services to existing and prospective customers.

23

---

Our services are becoming increasingly mission-critical for our customers and if these services fail to perform properly or if we are unable to scale our services to meet the needs of our customers, our reputation could be adversely affected, our market share could decline and we could be subject to liability claims.

Our core services and our expanded offerings such as Box KeySafe, Box Governance, Box Zones, Box Platform, Box Relay and Box Shield are becoming increasingly mission-critical to our customers’ internal and external business operations, as well as their ability to comply with legal requirements, regulations, and standards such as GxP, FINRA, HIPAA, and FedRAMP. These services and offerings are inherently complex and may contain material defects or errors. Any defects either in functionality or that cause interruptions in the availability of our services, as well as user error, could result in:

The costs incurred in correcting any material defects or errors might be substantial and could adversely affect our operating results. Further, our errors and omissions insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our insurance may not cover all claims made against us and defending a lawsuit, regardless of its merit, could be costly and divert management’s attention.

Because of the large amount of data that we collect and manage, it is possible that hardware failures, software errors, errors in our systems, or by third-party service providers, user errors, or internet outages could result in data loss or corruption that our customers regard as significant. Furthermore, the availability or performance of our services could be adversely affected by a number of factors, including customers’ inability to access the internet, the failure of our network or software systems, security breaches or variability in customer traffic for our services. We have been required and, in the future, may be required to issue credits or refunds for prepaid amounts related to unused services or otherwise be liable to our customers for damages they may incur resulting from some of these events. In addition to potential liability, if we experience interruptions in the availability of our services, our reputation could be adversely affected, which could result in the loss of customers. For example, our customers access our services through their internet service providers. If a service provider fails to provide sufficient capacity to support our services or otherwise experiences service outages, such failure could interrupt our customers’ access to our services, adversely affect their perception of our services’ reliability and consequently reduce our revenue.

Furthermore, we will need to ensure that our services can scale to meet the needs of our customers, particularly as we continue to focus on larger enterprise customers. If we are not able to provide our services at the scale required by our customers, potential customers may not adopt our solution and existing customers may not renew their agreements with us.

If the prices we charge for our services are unacceptable to our customers, our operating results will be harmed.

As the market for our services matures, or as new or existing competitors introduce new products or services that compete with ours, we may experience pricing pressure and be unable to renew our agreements with existing customers or attract new customers at prices that are consistent with our pricing model and operating budget. If this were to occur, it is possible that we would have to change our pricing model or reduce our prices, which could harm our revenue, gross margin and operating results.

24

---

Sales to customers outside the United States or with international operations expose us to risks inherent in international sales.

A key element of our growth strategy is to expand our international operations and develop a worldwide customer base. To date, we have not realized a substantial portion of our revenue from customers outside of the United States. Operating in international markets requires significant resources and management attention and will subject us to regulatory, economic, geographic, social, and political risks that are different from those in the United States. Because of our limited experience with international operations and significant differences between international and U.S. markets, our international expansion efforts may not be successful in creating demand for our services outside of the United States or in effectively selling subscriptions to our services in all of the international markets we enter. In addition, we will face specific risks in doing business internationally that could adversely affect our business, including:

We sell our services and incur operating expenses in various currencies. Therefore, fluctuations in the value of the U.S. dollar and foreign currencies may impact our operating results when translated into U.S. dollars. We currently manage our exchange rate risk by matching foreign currency assets with payables and by maintaining minimal non-U.S. dollar cash reserves, but we do not have any other hedging programs in place to limit the risk of exchange rate fluctuation. In the future, however, to the extent our foreign currency exposures become more material, we may elect to deploy normal and customary hedging practices designed to more proactively mitigate such exposure. We cannot be certain such practice will ultimately be available and/or effective at mitigating all foreign currency risk to which we are exposed. If we are unsuccessful in detecting material exposures in a timely manner, our deployed hedging strategies are not effective, or there are no hedging strategies available for certain exposures that are prudent given the risks associated and the potential mitigation of the underlying exposure achieved, our operating results or financial position could be adversely affected in the future.

We are also monitoring developments related to Brexit, which could have significant implications for our business. Brexit could lead to economic and legal uncertainty, including significant volatility in global stock markets and currency exchange rates, and differing laws and regulations as the United Kingdom determines which European Union laws to replace or replicate. Any of these effects of Brexit, among others, could adversely affect our operations, especially in the United Kingdom, and our financial results.

25

---

Failure to adequately expand and optimize our direct sales force and successfully maintain our online sales experience will impede our growth.

We will need to continue to optimize our sales infrastructure in order to grow our customer base and our business. Identifying and recruiting qualified personnel and training them requires significant time, expense and attention. Our business may be adversely affected if our efforts to expand and train our direct sales force do not generate a corresponding increase in revenue. If we are unable to hire, develop and retain talented sales personnel or if new direct sales personnel are unable to achieve desired productivity levels in a reasonable period of time, we may not be able to realize the intended benefits of this investment or increase our revenue.

We maintain our Box website to efficiently service our high volume, low dollar customer transactions and certain customer inquiries. Our goal is to continue to evolve this online experience so it effectively serves the increasing and changing needs of our growing customer base. If we are unable to maintain the effectiveness of our online solution to meet the future needs of our online customers and to eliminate fraudulent transactions occurring in this channel, we could see reduced online sales volumes as well as a decrease in our sales efficiency, which could adversely affect our results of operations.

If we are unable to maintain and promote our brand, our business and operating results may be harmed.

We believe that maintaining and promoting our brand is critical to expanding our customer base. Maintaining and promoting our brand will depend largely on our ability to continue to provide useful, reliable and innovative services, which we may not do successfully. We may introduce new features, products, services or terms of service that our customers do not like, which may negatively affect our brand and reputation. Additionally, the actions of third parties may affect our brand and reputation if customers do not have a positive experience using third-party apps or other services that are integrated with Box. Maintaining and enhancing our brand may require us to make substantial investments, and these investments may not achieve the desired goals. If we fail to successfully promote and maintain our brand or if we incur excessive expenses in this effort, our business and operating results could be adversely affected.

Our growth depends in part on the success of our strategic relationships with third parties.

In order to grow our business, we anticipate that we will continue to depend on our relationships with third parties, such as alliance partners, resellers, distributors, system integrators and developers. For example, we have entered into agreements with partners such as AT&T, IBM, Microsoft and Google to market, resell, integrate with or endorse our services. Identifying partners and resellers, and negotiating and documenting relationships with them, requires significant time and resources. Also, we depend on our ecosystem of system integrators, partners and developers to create applications that will integrate with our platform or permit us to integrate with their product offerings. Our competitors may be effective in providing incentives to third parties to favor their products or services, or to prevent or reduce subscriptions to our services. In some cases, we also compete directly with our partners’ product offerings, and if these partners stop reselling or endorsing our services or impede our ability to integrate our services with their products, our business and operating results could be adversely affected. In addition, acquisitions of our partners by our competitors could result in a decrease in the number of current and potential customers, as our partners may no longer facilitate the adoption of our services by potential customers.

If we are unsuccessful in establishing or maintaining our relationships with third parties, or realizing the anticipated benefits from such partnerships, our ability to compete in the marketplace or to grow our revenue could be impaired and our operating results may suffer. Even if we are successful, we cannot assure you that these relationships will result in increased customer usage of our services or increased revenue.

Furthermore, if our partners and resellers fail to perform as expected, our reputation may be harmed and our business and operating results could be adversely affected.

26

---

We depend on our ecosystem of system integrators, partners and developers to create applications that will integrate with our platform or to allow us to integrate with their products.

We depend on our ecosystem of system integrators, partners and developers to create applications that will integrate with our platform and to allow us to integrate with their products. This presents certain risks to our business, including:

Many of these risks are not within our control to prevent, and our brand may be damaged if these applications do not perform to our users’ satisfaction and that dissatisfaction is attributed to us.

Our company culture has contributed to our success, and if we cannot maintain this culture as we grow, we could lose the innovation, creativity and teamwork fostered by our culture, and our business may be harmed.

We believe that our culture has been and will continue to be a key contributor to our success. We expect to continue to hire additional employees as we expand our business. If we do not continue to develop our company culture or maintain our core values as we grow and evolve both in the United States and abroad, we may be unable to foster the innovation, creativity and teamwork we believe we need to support our growth.

Future acquisitions and investments could disrupt our business and harm our financial condition and operating results.

Our success will depend, in part, on our ability to expand our services and grow our business in response to changing technologies, customer demands, and competitive pressures. In some circumstances, we may choose to do so through the acquisition of complementary businesses, teams of employees, and technologies rather than through internal development. The identification of suitable acquisition candidates can be difficult, time-consuming and costly, and we may not be able to successfully complete or integrate identified acquisitions. The risks we face in connection with acquisitions include:

27

---

Our failure to address these risks or other problems encountered in connection with our past or future acquisitions and investments could cause us to fail to realize the anticipated benefits of these acquisitions or investments, cause us to incur unanticipated liabilities, and harm our business generally. Future acquisitions could also result in dilutive issuances of our equity securities, the incurrence of debt, contingent liabilities, amortization expenses, incremental operating expenses or the write-off of goodwill, any of which could harm our financial condition or operating results.

We may require additional capital to support our operations or the growth of our business, and we cannot be certain that this capital will be available on reasonable terms when required, or at all.

On occasion, we may need additional financing to operate or grow our business. Our ability to obtain additional financing, if and when required, will depend on investor and lender demand, our operating performance, the condition of the capital markets and other factors. We cannot guarantee that additional financing will be available to us on favorable terms when required, or at all. If we raise additional funds through the issuance of equity, equity-linked or debt securities, those securities may have rights, preferences or privileges senior to the rights of our Class A common stock, and our existing stockholders may experience dilution. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support the operation or growth of our business could be significantly impaired and our operating results may be harmed.

Financing agreements we are party to or may become party to may contain operating and financial covenants that restrict our business and financing activities.

Our existing credit agreement contains certain operating and financial restrictions and covenants that may restrict our and our subsidiaries’ ability to, among other things, incur indebtedness, grant liens on our assets, make loans investments, consummate certain merger and consolidation transactions, dispose of assets and enter into affiliate transactions, subject in each case to customary exceptions. We are also required to comply with a minimum liquidity covenant and a maximum leverage ratio. These restrictions and covenants, as well as those contained in any future financing agreements that we may enter into, may restrict our ability to finance our operations, engage in, expand or otherwise pursue our business activities and strategies. Our ability to comply with these covenants may be affected by events beyond our control, and breaches of these covenants could result in a default under the credit agreement and any future financial agreements that we may enter into and under other arrangements containing cross-default provisions. If not waived, defaults could cause our outstanding indebtedness under our credit agreement and any future financing agreements that we may enter into to become immediately due and payable, and permit our lenders to terminate their lending commitments and to foreclose upon any collateral securing such indebtedness.

Adverse economic conditions may negatively impact our business.

Our business depends on the overall demand for cloud content management services and on the economic health of our current and prospective customers. The United States and other key international economies have experienced cyclical downturns from time to time that have resulted in a significant weakening of the economy, more limited availability of credit, a reduction in business confidence and activity, and other difficulties that may affect one or more of the industries to which we sell our services. Uncertainty about economic conditions in the United States, Europe, Japan and other key markets for our services could cause customers to delay or reduce their information technology spending. This could result in reductions in sales of our services, longer sales cycles, reductions in subscription duration and value, slower adoption of new technologies and increased price competition. Any of these events would likely have an adverse effect on our business, operating results and financial position. In addition, there can be no assurance that cloud content management and collaboration spending levels will increase following any recovery.

28

---

Changes in laws and regulations related to the internet or changes in the internet infrastructure itself, or disruption in access to the internet or critical services on which the internet depends, may diminish the demand for our services, and could have a negative impact on our business.

The future success of our business depends upon the continued use and availability of the internet as a primary medium for commerce, communication and business services. Federal, state or foreign government bodies or agencies have in the past adopted, and may in the future adopt, laws or regulations affecting the use of the internet as a commercial medium. The adoption of any laws or regulations that could adversely affect the growth, popularity or use of the internet, including laws or practices limiting internet neutrality, could decrease the demand for, or the usage of, our products and services, increase our cost of doing business, adversely affect our operating results, and require us to modify our services in order to comply with these changes. In addition, government agencies or private organizations may begin to impose taxes, fees or other charges for accessing the internet or commerce conducted via the internet. These laws or charges could limit the growth of internet-related commerce or communications generally, or result in reductions in the demand for internet-based services such as ours.

For example, in December 2017, the Federal Communications Commission voted to repeal the “net neutrality” rules and return to a “light-touch” regulatory framework. However, the repeal has not yet taken effect and a number of parties have already stated their intent to appeal this order; thus, the future impact of such repeal and any challenge thereto remains uncertain. The rules were designed to ensure that all online content is treated the same by internet service providers and other companies that provide broadband services. Should the repeal of net neutrality rules take effect, access to or demand for our services could be hindered, we could incur greater operating expenses, and our business and results of operations.

In addition, the use of the internet and, in particular, the cloud as a business tool could be adversely affected due to delays in the development or adoption of new standards and protocols to handle increased demands of internet activity, security, reliability, cost, ease of use, accessibility, and quality of service. The performance of the internet and its acceptance as a business tool have been adversely affected by “viruses,” “worms”, “denial of service attacks” and similar malicious activity. The internet has also experienced a variety of outages, disruptions and other delays as a result of this malicious activity targeted at critical internet infrastructure. These service disruptions could diminish the overall attractiveness to existing and potential customers of services that depend on the internet and could cause demand for our services to suffer.

We employ third-party software for use in or with our services, and the inability to maintain licenses to this software, or errors in the software, could result in increased costs, or reduced service levels, which would adversely affect our business.

Our services incorporate certain third-party software obtained under open source licenses or licenses from other companies. We anticipate that we will continue to rely on such third-party software and development tools in the future. Although we believe that there are commercially reasonable alternatives to the third-party software we currently license, this may not always be the case, or it may be difficult or costly to replace. In addition, integration of the software used in our services with new third-party software may require significant work and require substantial investment of our time and resources. Also, to the extent that our services depend upon the successful operation of third-party software in conjunction with our software, any undetected errors or defects in this third-party software could prevent the deployment or impair the functionality of our services, delay the introduction of new services introductions, result in a failure of our services, and injure our reputation. For example, we discovered that a bug in a third-party software library we use in our services caused a very small subset of certain files uploaded during a short period of time (from mid-December 2017 to early January 2018) to be stored in a partially-corrupted state. Our use of additional or alternative third-party software would require us to enter into additional license agreements with third parties.

If we fail to maintain an effective system of disclosure controls and internal control over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations could be impaired.

As a public company, we are subject to the reporting requirements of the Securities Exchange Act of 1934, the Sarbanes-Oxley Act and the listing standards of the New York Stock Exchange (NYSE). We expect that compliance with these rules and regulations will continue to increase our legal, accounting and financial compliance costs, make some activities more difficult, time consuming and costly, and place significant strain on our personnel, systems and resources.

29

---

The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures, and internal control over financial reporting. We are continuing to develop and refine our disclosure controls and other procedures that are designed to ensure that information required to be disclosed by us in the reports that we file with the SEC is properly recorded, processed, summarized and reported within the time periods specified in SEC rules and forms. We are also continuing to improve our internal control over financial reporting. We have expended, and anticipate that we will continue to expend, significant resources in order to maintain and improve the effectiveness of our disclosure controls and procedures and internal control over financial reporting.

Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business, including increased complexity resulting from our international expansion. Further, weaknesses in our disclosure controls or our internal control over financial reporting may be discovered in the future. Additionally, to the extent that we acquire other businesses, the acquired company may not have a sufficiently robust system of internal controls and we may uncover new deficiencies. Any failure to develop or maintain effective controls, or any difficulties encountered in their implementation or improvement, could harm our operating results or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. Any failure to implement and maintain effective internal control over financial reporting could also adversely affect the results of management reports and independent registered public accounting firm audits of our internal control over financial reporting that we are required to include in our periodic reports that we file with the SEC. Ineffective disclosure controls and procedures, and internal control over financial reporting could also cause investors to lose confidence in our reported financial and other information, which would likely have a negative effect on the market price of our Class A common stock. In addition, if we are unable to continue to meet these requirements, we may not be able to remain listed on the NYSE.

Any failure to maintain effective disclosure controls and internal control over financial reporting could have a material and adverse effect on our business and operating results, and cause a decline in the market price of our Class A common stock.

Failure to comply with anti-bribery, anti-corruption, and anti-money laundering laws could subject us to penalties and other adverse consequences.

We are subject to the Foreign Corrupt Practices Act, or the FCPA, the U.K. Bribery Act and other anti-corruption, anti-bribery and anti-money laundering laws in various jurisdictions both domestic and abroad. In addition to our own sales force, we also leverage third parties to sell our products and services and conduct our business abroad. We and our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities and may be held liable for the corrupt or other illegal activities of these third-party business partners and intermediaries, our employees, representatives, contractors, channel partners, and agents, even if we do not explicitly authorize such activities. While we have policies and procedures to address compliance with such laws, we cannot assure you that our employees and agents will not take actions in violation of our policies or applicable law, for which we may be ultimately held responsible. Any violation of the FCPA or other applicable anti-bribery, anti-corruption laws, and anti-money laundering laws could result in whistleblower complaints, adverse media coverage, investigations, loss of export privileges, severe criminal or civil sanctions, or suspension or debarment from U.S. government contracts, all of which may have an adverse effect on our reputation, business, operating results and prospects.

Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited.

As of January 31, 2020, we had U.S. federal net operating loss carryforwards of approximately $735.2 million, state net operating loss carryforwards of approximately $675.0 million, and foreign net operating loss carryforwards of approximately $320.6 million. Under Sections 382 and 383 of Internal Revenue Code of 1986, as amended, if a corporation undergoes an “ownership change,” the corporation’s ability to use its pre-change net operating loss carryforwards and other pre-change tax attributes, such as research tax credits, to offset its post-change income and taxes may be limited. In general, an “ownership change” occurs if there is a cumulative change in our ownership by “5% shareholders” that exceeds 50 percentage points over a rolling three-year period. Similar rules may apply under state tax laws. We have in the past experienced an ownership change which has impacted our ability to fully realize the benefit of these net operating loss carryforwards. If we experience additional ownership changes as a result of future transactions in our stock, then we may be further limited in our ability to use our net operating loss carryforwards and other tax assets to reduce taxes owed on the net taxable income that we earn. Any such limitations on the ability to use our net operating loss carryforwards and other tax assets could adversely impact our business, financial condition and operating results.

30

---

Tax laws or regulations could be enacted or changed and existing tax laws or regulations could be applied to us or to our customers in a manner that could increase the costs of our services and adversely impact our business.

The application of federal, state, local and international tax laws to services provided electronically is unclear and continuously evolving. Income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted or amended at any time, such as the Tax Act in the United States, possibly with retroactive effect, and could be applied solely or disproportionately to services provided over the internet. These enactments or amendments could adversely affect our sales activity due to the inherent cost increase the taxes would represent and ultimately result in a negative impact on our operating results and cash flows.

In addition, existing tax laws, statutes, rules, regulations or ordinances could be interpreted or applied adversely to us, possibly with retroactive effect, which could require us or our customers to pay additional tax amounts, as well as require us or our customers to pay fines or penalties, as well as interest for past amounts. If we are unsuccessful in collecting such taxes due from our customers, we could be held liable for such costs, thereby adversely impacting our operating results and cash flows.

We may be subject to additional tax liabilities.

We are subject to income, sales, use, value added and other taxes in the United States and other countries in which we conduct business, and such laws and rates vary by jurisdiction. Certain jurisdictions in which we do not collect sales, use, value added or other taxes on our sales may assert that such taxes are applicable, which could result in tax assessments, penalties and interest, and we may be required to collect such taxes in the future. Significant judgment is required in determining our worldwide provision for income taxes. These determinations are highly complex and require detailed analysis of the available information and applicable statutes and regulatory materials. In the ordinary course of our business, there are many transactions and calculations where the ultimate tax determination is uncertain. Although we believe our tax estimates are reasonable, the final determination of tax audits and any related litigation could be materially different from our historical tax practices, provisions and accruals. If we receive an adverse ruling as a result of an audit, or we unilaterally determine that we have misinterpreted provisions of the tax regulations to which we are subject, there could be a material effect on our tax provision, net loss or cash flows in the period or periods for which that determination is made. In addition, liabilities associated with taxes are often subject to an extended or indefinite statute of limitations period. Therefore, we may be subject to additional tax liability (including penalties and interest) for a particular year for extended periods of time.

Our reported financial results may be adversely affected by changes in accounting principles generally accepted in the United States.

Generally accepted accounting principles (GAAP) in the United States are subject to interpretation by the Financial Accounting Standards Board (FASB), the SEC and various bodies formed to promulgate and interpret appropriate accounting principles. A change in these principles or interpretations could have a significant effect on our reported financial results, and could affect the reporting of transactions completed before the announcement of a change. For example, in February 2016, the FASB issued accounting standards update No. 2016-02, which requires lessees to record most leases on their balance sheet while recognizing expense in a manner similar to current lease accounting guidance. ASU 2016-02 states that a lessee would recognize a lease liability for the obligation to make lease payments and a right-to-use asset for the right to use the underlying asset for the lease term. The new accounting guidance was effective for us beginning February 1, 2019 and our financial statements were materially affected as further discussed in Note 2 of our Notes to Consolidated Financial Statements included in Part II, Item 8 of this Annual Report on Form 10-K. In addition, were we to change our critical accounting estimates, including the timing of recognition of subscription revenue and other revenue sources, our results of operations could be significantly impacted. These or other changes in accounting principles could adversely affect our financial results. Any difficulties in implementing these pronouncements could cause us to fail to meet our financial reporting obligations, which could result in regulatory discipline and harm investors’ confidence in us.

31

---

Risks Related to Ownership of Our Class A Common Stock

Anti-takeover provisions contained in our amended and restated certificate of incorporation and amended and restated bylaws, as well as provisions of Delaware law, could impair a takeover attempt.

Our amended and restated certificate of incorporation, amended and restated bylaws and Delaware law contain provisions which could have the effect of rendering more difficult, delaying or preventing an acquisition deemed undesirable by our board of directors. Among other things, our amended and restated certificate of incorporation and amended and restated bylaws include provisions:

These provisions, alone or together, could delay or prevent hostile takeovers and changes in control or changes in our management.

As a Delaware corporation, we are also subject to provisions of Delaware law, including Section 203 of the Delaware General Corporation Law, which prevents certain stockholders holding more than 15% of our outstanding capital stock from engaging in certain business combinations without approval of the holders of at least two-thirds of our outstanding common stock not held by such stockholder.

Any provision of our amended and restated certificate of incorporation, amended and restated bylaws or Delaware law that has the effect of delaying, preventing or deterring a change in control could limit the opportunity for our stockholders to receive a premium for their shares of our capital stock, and could also affect the price that some investors are willing to pay for our Class A common stock.

The market price of our Class A common stock has been and may continue to be volatile, and you could lose all or part of your investment.

The market price of our Class A common stock has been and may continue to be subject to wide fluctuations in response to various factors, some of which are beyond our control and may not be related to our operating performance. For example, from February 1, 2019 through January 31, 2020, the closing price of our Class A common stock ranged from $13.03 per share to $24.88 per share. In addition to the factors discussed in this “Risk Factors” section and elsewhere in this Annual Report on Form 10-K, factors that could cause fluctuations in the market price of our Class A common stock include the following:

32

---

In addition, in the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action litigation has often been instituted against these companies. In 2019, we were the subject of securities litigation. This or any future securities litigation could result in substantial costs and a diversion of our management’s attention and resources.

Our business could be negatively affected as a result of activist shareholders.

Responding to actions by activist shareholders could be costly and time-consuming, disrupt our operations and divert the attention of management and our employees. Additionally, perceived uncertainties as to our future direction as a result of shareholder activism or changes to the composition of our board of directors may lead to the perception of a change in the direction of our business or other instability, which may be exploited by our competitors, cause concern to our current or potential customers, and make it more difficult to attract and retain qualified personnel. If customers choose to delay, defer or reduce transactions with us or do business with our competitors instead of us, then our business, financial condition and operating results would be adversely affected. In addition, our share price could experience periods of increased volatility as a result of shareholder activism.

If securities or industry analysts do not publish or cease publishing research or reports about us, our business, our market or our competitors, or if they adversely change their recommendations regarding our Class A common stock, the market price of our Class A common stock and trading volume could decline.

The trading market for our Class A common stock is influenced, to some extent, by the research and reports that securities or industry analysts publish about us, our business, our market or our competitors. If any of the analysts who cover us adversely change their recommendations regarding our Class A common stock or provide more favorable recommendations about our competitors, the market price of our Class A common stock would likely decline. If any of the analysts who may cover us were to cease coverage of our company or fail to regularly publish reports on us, we could lose visibility in the financial markets, which in turn could cause the market price of our Class A common stock or trading volume to decline.

33

---

We do not expect to declare any dividends in the foreseeable future.

We do not anticipate declaring any cash dividends to holders of our Class A common stock in the foreseeable future. Consequently, investors may need to rely on sales of our Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on their investment. Investors seeking cash dividends should not purchase shares of our Class A common stock.

 

Item 1B. UNRESOLVED STAFF COMMENTS

Not applicable.

Item 2. PROPERTIES

Our corporate headquarters, which includes research and development, sales, marketing, business operations and executive offices, is located in Redwood City, California. It consists of approximately 340,000 square feet of space under a lease that expires in fiscal 2029. We sublease a portion of this space.

We also lease offices in other locations, with our principal offices in San Francisco, California; Austin, Texas; New York, New York; London, England; and Tokyo, Japan. We intend to procure additional space as we add employees in our current locations and expand geographically. We believe that our facilities are adequate to meet our needs for the immediate future, and that, should it be needed, suitable additional space will be available to accommodate expansion of our operations.

Item 3. LEGAL PROCEEDINGS

From time to time, we are a party to litigation and subject to claims that arise in the ordinary course of business. We investigate these claims as they arise and accrue estimates for resolution of legal and other contingencies when losses are probable and estimable. Although the results of litigation and claims cannot be predicted with certainty, we believe there was not at least a reasonable possibility that we had incurred a material loss with respect to such loss contingencies as of January 31, 2020.

On June 6, 2019, a purported securities class action was filed in the U.S. District Court for the Northern District of California naming Box and certain of its officers and directors as defendants. The action was voluntarily dismissed without prejudice on December 16, 2019.

On October 23, 2019, a shareholder derivative complaint was filed in the Superior Court of California, San Mateo County, purportedly on behalf of Box and naming as defendants certain current and former officers and directors. The complaint was voluntarily dismissed without prejudice on December 26, 2019.

Item 4. MINE SAFETY DISCLOSURE

Not applicable.

34

---

PART II

Item 5. MARKET FOR REGISTRANT’S COMMON EQUITY, RELATED STOCKHOLDER MATTERS AND ISSUER PURCHASES OF EQUITY SECURITIES

Market Information for Common Stock

Our Class A common stock began trading on the New York Stock Exchange under the symbol “BOX” on January 23, 2015. Prior to that date, there was no public trading market for shares of our Class A common stock.

Holders of Record

As of February 28, 2020, there were 248 holders of record of our Class A common stock. Because many of our shares of Class A common stock are held by brokers and other institutions on behalf of stockholders, we are unable to estimate the total number of beneficial owners of our Class A common stock represented by these record holders.

Dividend Policy

We have never declared or paid cash dividends on our capital stock. We currently intend to retain all available funds and any future earnings for use in the operation of our business and do not anticipate paying any dividends on our capital stock in the foreseeable future. Any future determination to declare dividends will be made at the discretion of our board of directors, subject to applicable laws, and will depend on our financial condition, operating results, capital requirements, general business conditions and other factors that our board of directors may deem relevant.

Unregistered Sales of Equity Securities

None.

Issuer Purchases of Equity Securities

None.

35

---

Performance Graph

This performance graph shall not be deemed “soliciting material” or to be “filed” with the SEC for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (Exchange Act), or otherwise subject to the liabilities under that Section, and shall not be deemed to be incorporated by reference into any filing of Box, Inc. under the Securities Act of 1933, as amended, or the Exchange Act.

The following graph compares the cumulative total return to stockholders on our common stock relative to the cumulative total returns of the Standard & Poor’s 500 Index, or S&P 500, and the NASDAQ Computer Index. An investment of $100 (with reinvestment of all dividends) is assumed to have been made in our Class A common stock and in each index on January 31, 2015 and its relative performance is tracked through January 31, 2020. The returns shown are based on historical results and are not intended to suggest future performance.

 

 

 

 

36

---

Item 6. SELECTED CONSOLIDATED FINANCIAL DATA

The following selected historical consolidated financial data should be read in conjunction with “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in Part II, Item 7 of this Annual Report on Form 10-K and our consolidated financial statements and the related notes included in Item 8 of this Annual Report on Form 10-K. The historical results are not necessarily indicative of the results to be expected in any future period. We adopted ASC Topic 842, effective February 1, 2019, and ASC Topic 606, effective February 1, 2018, both utilizing the modified retrospective method. The reported results for fiscal year 2020 reflect the application of ASC 842, and the reported results for fiscal year 2019 onwards reflect the application of ASC 606. The reported results for fiscal years presented prior to adoption are not adjusted and continue to be reported under ASC Topic 840 and ASC Topic 605.

 

 

 

 

 

37

---

 

 

 

38

---

Item 7. MANAGEMENT’S DISCUSSION AND ANALYSIS OF FINANCIAL CONDITION AND RESULTS OF OPERATIONS

You should read the following discussion and analysis of our financial condition and results of operations together with the section titled “Selected Consolidated Financial Data” and the consolidated financial statements and related notes included elsewhere in this Annual Report on Form 10-K. This discussion contains forward-looking statements based upon current expectations that involve risks and uncertainties. Our actual results may differ materially from those anticipated in these forward-looking statements as a result of various factors, including those discussed in the section titled “Risk Factors” and in other parts of this Annual Report on Form 10-K.

Overview

Box provides a leading cloud content management platform that enables organizations of all sizes to securely manage their content while allowing easy, secure access and sharing of this content from anywhere, on any device. With our Software-as-a-Service (SaaS) cloud content management platform, users can collaborate on content both internally and with external parties, automate content-driven business processes, develop custom applications, and implement data protection, security and compliance features to comply with legal and regulatory requirements, internal policies and industry standards and regulations. Box provides a single content platform that accelerates business processes, improves employee productivity and protects an organization’s most valuable data. Our platform enables a broad set of business use cases across enterprises, hundreds of file formats and media types, and user experiences. Our platform integrates with leading enterprise business applications, and is compatible with multiple application environments, operating systems and devices, ensuring that workers have access to their critical business content whenever and wherever they need it.

At our founding, we recognized that content is more accessible, secure and powerful when it is centrally stored, managed, and shared. In 2005, we publicly launched our cloud content management platform, which we have architected from the ground up, with a simple but powerful idea: to make it incredibly easy for people to securely manage, share and collaborate on their most important content online. Our cloud content management platform is built to meet the evolving demands of today’s distributed and mobile workforce, and for enterprises that are looking to benefit from the increasing digitization of business.

In addition, we continue to innovate by expanding our core services and our expanded offerings with a focus on frictionless security and compliance, seamless internal and external collaboration and workflow, and integration with best-of-breed applications. For example, we provide Box Shield, our advanced security offering that helps customers reduce the risk of accidental data leakage and protect their business from insider threats and account compromise; Box KeySafe, a solution